Network segmentation is one of those tried-and-true network security principles that has been around since the dawn of IT.
Many organizations, large enterprises included, have implemented various levels of network segmentation without fully understanding where its real risks are.
Going back to the works of James Martin and Saltzer and Schroeder from the 1970s, the concepts of least privilege and separation of duties have taught enterprises to provide users access to only those systems for which there's a business need and nothing more. Yet, decades later, there are countless security incidents that involve someone gaining unauthorized access to systems they never should have been able to reach.
Obviously something's amiss. Take, for instance, the recent Chinese breaches of European networks where hackers infiltrated the network and used high-privilege access to pilfer data. These attacks could have been prevented had the proper access restrictions been put in place with network segmentation.
In this tip, we'll review the benefits -- and, yes, drawbacks -- of enterprise network segmentation, and highlight best practices to apply segmentation to reduce the risk posed by today's numerous network security threats.
The benefits of network segmentation
Network segmentation is defined as the separation or isolation of networks -- typically using one or more firewalls -- but in government or military contexts it can mean physically isolated networks that, for security reasons, have no connection with other networks or the Internet. Proper network segmentation can help:
- Provide a strong level of protection for critical servers and applications on a need-to-know basis
- Cordon off remote workers into their required areas of the network
- Simplify network management, including event monitoring and incident response
- Minimize the effort required by the never-ending onslaught of security audits and questionnaires from business partners and customers
While these benefits are all good in theory, there's more to the task than just "segment and be done with it." Organizations must consider the following downsides and challenges to network segmentation:
- For cross-functional departments, outside vendors and business processes that require a multitude of internal network access, segmenting access to that level can become impossible.
- Using virtual local area networks (VLANs) for segmentation -- the most common type I see -- may seem like a good idea, but anyone on the local network can simply hop over to a new segment, bypassing the access restrictions that were likely the point of network segmentation in the first place, as long as they know the IP addressing scheme(s).
- Segmentation can prove to be a real pain when performing security vulnerability scans. You'll need to physically or logically move your scanner from segment to segment via access control lists/firewall rules. You might also need to deploy remote scanner sensors altogether.
- If enterprises don't use endpoint security controls such as antimalware, intrusion prevention and data loss prevention to counter malicious use within each network segment (e.g., a malware infection or insider threat), they will still face considerable risks.
- Numerous Internet-facing network infrastructure devices, servers, Web applications and cloud services that are leveraged in enterprises today have to be available to the world -- an organization could attempt to keep out the bad traffic, but it's becoming harder to achieve.
- Executives don't want their computing experience to be impeded, period.
However, network segmentation may not always be the answer. Specific business processes, partner network connections or lack of network management resources (e.g., money or skills) may matter most. Even in the pursuit of balancing security with convenience, the latter often takes precedence. Still, none of these mean you shouldn't have a properly segmented network.
What strikes me as interesting is that many organizations, large enterprises included, have implemented various levels of network segmentation without fully understanding where its real risks are. You cannot secure what you don't acknowledge. If you don't have a clear understanding of what is where and how it is at risk, you're not going to be able to implement effective network segmentation that's workable over the long haul.
Today's "all-connected" networks no doubt facilitate security breaches that can be prevented by using proven security principles. As with everything security-related, there's no one-size-fits-all solution; every network is different, every business has unique requirements and every group of business executives has varying information risk tolerances.
So what's best for your enterprise? Only you will know. A mix of firewall rules, ACLs and VLANs will be in order to specify who and which systems need access to the proper areas of your network. A solid penetration test and ongoing security assessments will also help organizations uncover what additional measures are needed. You'll likely find that you need additional IPS sensors, stronger file access controls or even a more narrow focus for your DLP controls.
Once organizations have the right mix of tools and techniques, the hard work begins: the actual implementation of "ideal" network segmentation. Of course, the business drivers that dictate whether you apply network segmentation will come into play as well. This might include known risks, compliance (e.g., PCI DSS) or contractual requirements, or specific business processes that need this functionality. While companies may never reach their "ideal state," it is critical that you do whatever possible to minimize the network attack area available to any given user.
With the network complexity enterprises are dealing with today, minimizing the impact of a breach is just about as important -- and as reasonable -- as preventing the breach in the first place. Ultimately, politics and culture will determine what network segmentation is kept in place and your enterprise will just have to be okay with that.
About the author:
Kevin Beaver is an information security consultant, writer, professional, speaker, and expert witness with Atlanta-based Principle Logic, LLC. With over 25 years of experience in the industry, Kevin specializes in performing independent security vulnerability assessments of network systems as well as Web and mobile applications. He has authored/co-authored 11 books on information security including the best-selling Hacking for Dummies, The Practical Guide to HIPAA Privacy and Security Compliance and Implementation Strategies for Fulfilling and Maintaining IT Compliance. In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach Kevin through his website www.principlelogic.com and follow him on Twitter at @kevinbeaver.